Re: How to Force Packet Traversal Order (IPFW2 => PF)

Thank you all ,
I made further research and found same issue (Multi WAN + Captive Portal not working when pf+ipfw enabled same time) on OPNSENSE

first mention is here:
https://github.com/opnsense/core/issues/1166

here is the OPNSENSE solution:
https://git.furworks.de/opensourcemirror/opnsense-src/commit/83fd8a61b942d84f553e53127c4be02b318f7cf4

https://reviews.freebsd.org/D8109
https://reviews.freebsd.org/D8109

i will try solutions above links and hope this helps me and others..

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐

On Sunday, August 1st, 2021 at 1:19 AM, Martin Beran <martin@mber.cz> wrote:

> pá 30. 7. 2021 v 13:41 odesílatel alfadev via freebsd-ipfw <
>
> freebsd-ipfw@freebsd.org> napsal:
>
> > Hi,
> >
> > I have to use both IPFW and PF sametime in my freebsd 12.2 gateway
> >
> > According to my observations firewalls are following this order all of my
> >
> > scenarios PF => IPFW2. I see this exactly When i use PF's route-to option .
> >
> > When i create Load-Balancing rule using PF's route-to, packets not entering
> >
> > into IPFW. So when i made PBR, IPFW rules like mac based piping, bandwidth,
> >
> > captive portal etc. does not works.
> >
> > So that
> >
> > i am trying to do this order:
> >
> > input => ipfw => pf
> >
> > but i think i cannot change this order without touching kernel level .
> >
> > when i made some research i found this
> >
> > https://www.opennet.ru/tips/info/1431.shtml
>
> I think that you do not need to touch kernel source, nor build a custom
>
> kernel. The order of calling packet filtering modules depends on the order
>
> of registering the modules to packet processing hooks. Instead of loading
>
> the modules by their respective startup scripts, you can load them in the
>
> required order by including them in /etc/rc.conf in variable kld_list. I do
>
> not remember if the order of calling is the same or the opposite of the
>
> order of module loading.
>
> Martin Beran